Advisory March 13, 2025

FBI’s investigation Regarding Medusa Ransomware

#StopRansomware

Medusa ransomware is an advanced ransomware-as-a-service (RaaS) that emerged in June 2021. Using a double extortion model encrypting data and threatening to expose sensitive information. Medusa threat actors stealthily infiltrate networks via partnerships with initial access brokers and exploitation of unpatched vulnerabilities. It has impacted over 300 victims across various sectors, underscoring its persistent threat.

Description:

Medusa ransomware is a sophisticated ransomware-as-a-service (RaaS) that was first identified in June 2021 and has since impacted over 300 victims, with confirmed cases as recent as February 2025. Notably, Medusa is distinct from both the MedusaLocker and Medusa mobile malware variants. The threat actors behind Medusa collaborate with initial access brokers (IABs) on cybercriminal forums and marketplaces to gain access into the target networks. Once they have successfully gained access, they employ living-off-the-land (LOTL) techniques and legitimate tools such as Advanced IP Scanner to enumerate users, systems, and networks during the discovery phase. For defensive evasion, these adversaries utilize common utilities like Certutil (certutil.exe) to execute file ingress without raising alarms. Ultimately, Medusa operators execute a double extortion scheme: they encrypt victim data and, via a Tor browser-based live chat, demand that victims initiate contact within 48 hours under the threat of exposing sensitive information.

Affected Industries:

The Medusa ransomware has impacted over 300 organizations across various critical infrastructure sectors. The affected industries include:

  • Medical
  • Education
  • Legal
  • Insurance
  • Technology
  • Manufacturing.

Recommendations:

  • Patch Management: Regularly update and patch operating systems and software to mitigate vulnerabilities.
  • Network Segmentation: Implement network segmentation to limit lateral movement within the organization.
  • Traffic Filtering: Use firewalls to filter network traffic and prevent unauthorized access.
  • Disable Unnecessary Ports and Services: Close any unused ports and disable services that are not essential for operations.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA for remote access and critical accounts to enhance security.
  • Regular Backups: Maintain up-to-date backups of critical data stored offline to facilitate recovery in case of an attack.
  • Incident Response Plan: Develop and regularly test an incident response plan tailored to ransomware scenarios.
  • Employee Training: Conduct regular training sessions for employees on recognizing phishing attempts and other social engineering tactics.
  • Ensure automatic updates are enabled for future instances whenever possible.

 

References: